FirstBlood-#263 — New Doctor Registration Invitation Code Leaked to the Public
This issue was discovered on FirstBlood v1
On 2021-05-15, netmous3 reported:
A new doctor registration invitation code was leaked to the public via redit forum. Further the new doctor registration on Firstbloodhacker.com did not employee two factor verification and invitation code leaked to the public was not expiring. Also the web application not employing single use on invitation code. These issues let attacker to create any number of doctor logins and access the patients critical information.
Steps To Reproduce:
- Copy the invitation code from redit forum.
- Visit the new doctor registration portal and enter the invitation code with any attacker preferred name as the username.
- Login to the internal doctor's portal with the new user and supplied password via #2.
Critical information including patients PII data could leaked to the public and the Firstbloodhacker may in violation to the GDPR regulation.
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.